Re: [modauthkerb] Response too big for UDP, retry with TCP
Brought to you by:
kouril
Menu
▾
▴
Re: [modauthkerb] Response too big for UDP, retry with TCP
|
From: Daniel K. <ko...@ic...> - 2004-06-28 05:26:27
|
On Fri, Jun 25, 2004 at 05:09:45PM -0400, Webmaster wrote:
> I've compiled mod_auth_kerb with heimdal 6.1 libraries. I can
> authenticate with the kerberos 5 password method to an Active Directory
> KDC, but one of my users can't. mod_auth_kerb logs the "Response too
> big for UDP, retry with TCP" error. As an experiment, I went to this
> users account, and removed like 10 group memberships for her, leaving
> something like 7 group memberships. With fewer groups, her login works
> fine. Is this problem known? If so, need I only wait for the next
> edition of mod_auth_kerb? If not, how can I enable mod_auth_kerb to
> authenticate using TCP instead of UDP? If I have PAM configured for
> kerberos authentication, will the two conflict if I must set some value
> in krb5.conf?
This problem is caused by a too long PAC blob (containing the Win AD group
memberships). It applies to the whole Kerberos deployment and can hardly be
solved by the module itself, so I recommend configuring the krb5.conf to
enforce TCP for communication with the KDC(s). For Heimdal you can use the
'tcp/' prefix added before the KDC hostname in the kdc line, e.g.:
[realms]
YOUR.REALM = {
kdc = tcp/<your.kdc.fqdn>
Your PAM module should be happy with this configuration. BTW, just fo my
curiosity, the PAM module works well with UDP?
--
Daniel
|
